Merge branch 'main' into task_edeng_61

Author: mohini-crl

src/current/_includes/cockroachcloud/backups/cloud-api-get-put.md

@@ -1,7 +1,7 @@
 You can use the [CockroachDB Cloud API]({% link cockroachcloud/cloud-api.md %}) to [view](#get-information-on-backup-settings) and [modify](#modify-backup-settings-on-a-cluster) managed backup settings.
 
 {{site.data.alerts.callout_info}}
-The [service account]({% link cockroachcloud/authorization.md %}#service-accounts) associated with the secret key must have the [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) role.
+The [service account]({% link cockroachcloud/authorization.md %}#service-accounts) associated with the secret key must have the [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) role.
 {{site.data.alerts.end}}
 
 ### Get information on backup settings

src/current/_includes/cockroachcloud/backups/managed-backup-perms.md

@@ -1,7 +1,7 @@
 To restore a managed backup successfully in CockroachDB {{ site.data.products.cloud }}, you must have the appropriate [permissions]({% link cockroachcloud/authorization.md %}) on both the source and destination clusters:
 
-- You must have either the [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) role on the **destination cluster**, or at the [organization level]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model). Without one of these roles, the restore operation will fail.
-- You must also have either the [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) role on the **source cluster** (the cluster from which the backup was taken), or at the [organization level]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model). If you do not have the required permissions on the source cluster, the restore will fail.
+- You must have either the [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) role on the **destination cluster**, or at the [organization level]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model). Without one of these roles, the restore operation will fail.
+- You must also have either the [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) role on the **source cluster** (the cluster from which the backup was taken), or at the [organization level]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model). If you do not have the required permissions on the source cluster, the restore will fail.
 
 {{site.data.alerts.callout_info}}
 Organization-level permissions take precedence over cluster-specific permissions. If you have the appropriate role at the organization level, you are authorized to perform restore operations on all clusters within that organization.

src/current/_includes/cockroachcloud/cluster-operator-prereq.md

@@ -1 +1 @@
-Either the [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) or [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) role on a pre-existing cluster, or the [Cluster Creator](authorization.html#cluster-creator) role in order to create a new cluster.
+Either the [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) or [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) role on an existing cluster, or the [Cluster Creator](authorization.html#cluster-creator) role in order to create a new cluster.

src/current/_includes/cockroachcloud/cockroachcloud-ask-admin.md

@@ -1,3 +1,3 @@
 {{site.data.alerts.callout_info}}
-Only [Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) and [Cluster Administrators]({% link cockroachcloud/authorization.md %}#cluster-administrator) can create SQL users and issue credentials.
+Only [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) and [Cluster Admins]({% link cockroachcloud/authorization.md %}#cluster-admin) can create SQL users using the {{site.data.products.cloud}} Console or API. These SQL users default to the `Admin` role. For granular provisioning of SQL user privileges, refer to documentation on [using the cluster's SQL interface]({% link cockroachcloud/managing-access.md %}?filters=client#create-a-sql-user).
 {{site.data.alerts.end}}

src/current/_includes/cockroachcloud/first-org-user-roles.md

@@ -1,10 +1,10 @@
 {{site.data.alerts.callout_info}}
 The user who creates a new organization is assigned the following [roles]({% link cockroachcloud/authorization.md %}#organization-user-roles) at the organization scope:
 
-- [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator)
+- [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin)
 - [Billing Coordinator]({% link cockroachcloud/authorization.md %}#billing-coordinator)
-- [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator)
+- [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin)
 - [Folder Administrator]({% link cockroachcloud/authorization.md %}#folder-admin)
 
-Any of these roles may subsequently be removed by a user with both the Org Administrator role and the Cluster Admin role at the organization scope. This is to ensure that at least one user has both of these roles.
+Any of these roles may subsequently be removed by a user with both the Organization Admin role and the Cluster Admin role at the organization scope. This is to ensure that at least one user has both of these roles.
 {{site.data.alerts.end}}

src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md

@@ -0,0 +1,54 @@
+The following table describes the high level permissions given by each CockroachDB {{ site.data.products.cloud }} user role. Permissions are additive, so a user with multiple roles is given all permissions in each area across all assigned roles.
+
+<div class="roles-table" markdown="1">
+
+|  | Org. Member | Org. Admin | Billing Coord. | Cluster Creator | Cluster Operator | Cluster Admin | Cluster Developer | Folder Admin | Folder Mover |
+|---|-------------|-------------|------------------|------------------|-------------------|----------------|--------------------|----------------|----------------|
+| **User/Access Management** |  |  |  |  |  |  |  |  |  |
+| Assign and revoke roles | — | ✓ | — | — | — | ✓ | — | — | — |
+| Assign {{ site.data.products.cloud }} user and service account roles | — | — | — | — | — | ✓ | — | — | — |
+| Manage SQL users | — | — | — | — | — | ✓ | — | — | — |
+| Manage {{ site.data.products.cloud }} users and service accounts | — | ✓ | — | — | — | ✓ | — | — | — |
+| Apply roles at the [folder]({% link cockroachcloud/folders.md %}) scope | — | — | — | — | — | — | — | ✓ | — |
+| **Cluster & Infrastructure** |  |  |  |  |  |  |  |  |  |
+| Create cluster or [private cluster]({% link cockroachcloud/private-clusters.md %}) | — | — | — | ✓ | — | — | — | — | — |
+| Create / edit / delete cluster | — | — | — | — | — | ✓ | — | — | — |
+| Edit / delete clusters created by this user | — | — | — | ✓ | — | — | — | — | — |
+| Create / delete / manage [folders]({% link cockroachcloud/folders.md %}) | — | — | — | — | — | — | — | ✓ | — |
+| Move cluster between [folders]({% link cockroachcloud/folders.md %}) | — | — | — | — | — | — | — | — | ✓ |
+| Scale nodes | — | — | — | — | ✓ | ✓ | — | — | — |
+| Upgrade CockroachDB | — | — | — | — | ✓ | ✓ | — | — | — |
+| Configure [maintenance windows]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window) | — | — | — | — | ✓ | ✓ | — | — | — |
+| Use the [{{ site.data.products.cloud }} Terraform provider]({% link cockroachcloud/provision-a-cluster-with-terraform.md %}) | — | — | — | ✓ | — | ✓ | — | — | — |
+| **Monitoring & Observability** |  |  |  |  |  |  |  |  |  |
+| View cluster details | — | — | — | — | — | — | ✓ | — | — |
+| View [audit logs]({% link cockroachcloud/cloud-org-audit-logs.md %}) | — | — | — | — | ✓ | — | — | — | — |
+| View [insights]({% link cockroachcloud/insights-page.md %}) | — | — | — | — | ✓ | ✓ | — | — | — |
+| View [jobs]({% link cockroachcloud/jobs-page.md %}) | — | — | — | — | ✓ | — | — | — | — |
+| View [metrics]({% link cockroachcloud/metrics.md %}) | — | — | — | — | ✓ | ✓ | — | — | — |
+| Send [test alerts]({% link cockroachcloud/alerts-page.md %}#send-a-test-alert) | — | — | — | — | ✓ | — | — | — | — |
+| Access [DB console]({% link cockroachcloud/network-authorization.md %}#db-console) | — | — | — | — | ✓ | ✓ | ✓ | — | — |
+| **Security** |  |  |  |  |  |  |  |  |  |
+| Configure [cluster SSO]({% link cockroachcloud/cloud-sso-sql.md %}) | — | — | — | — | ✓ | ✓ | — | — | — |
+| Manage [egress perimeter controls]({% link cockroachcloud/egress-perimeter-controls.md %}) | — | — | — | — | — | ✓ | — | — | — |
+| Manage [network authorization]({% link cockroachcloud/network-authorization.md %}) | — | — | — | — | ✓ | ✓ | — | — | — |
+| View PCI status | — | — | — | — | ✓ | ✓ | — | — | — |
+| **Database & Data** |  |  |  |  |  |  |  |  |  |
+| Manage databases | — | — | — | — | ✓ | ✓ | — | — | — |
+| View / restore [backups]({% link cockroachcloud/backup-and-restore-overview.md %}) | — | — | — | — | ✓ | ✓ | — | — | — |
+| **Billing & Licensing** |  |  |  |  |  |  |  |  |  |
+| Manage [billing]({% link cockroachcloud/billing-management.md %}) | — | — | ✓ | — | — | — | — | — | — |
+| Manage [email alerts]({% link cockroachcloud/alerts-page.md %}#configure-alerts) | — | ✓ | — | — | — | — | — | — | — |
+| Manage CockroachDB [Self-Hosted cluster licenses]({% link {{ site.current_cloud_version }}/licensing-faqs.md %}#obtain-a-license) | — | ✓ | — | — | — | — | — | — | — |
+
+</div>
+
+Some roles can be assigned to users at specific levels of scope to provide more granular permission control:
+
+| **Scope level** | **Description** | **Applicable roles** |
+|---|---|---|
+| `Organization` | Applies to the entire CockroachDB {{ site.data.products.cloud }} organization, including all clusters and folders | `Cluster Operator`, `Cluster Admin`, `Cluster Creator`, `Cluster Developer`, `Billing Coordinator`, `Organization Admin`, `Folder Admin`, `Folder Mover` |
+| `Folder` | Applies to clusters within a specific [folder]({% link cockroachcloud/folders.md %}). Only available as a selectable scope if folders have been created within the organization by a user with the `Folder Admin` role | `Cluster Operator`, `Cluster Admin`, `Cluster Creator`, `Cluster Developer`, `Folder Admin`, `Folder Mover` |
+| `Cluster` | Applies to a specific cluster | `Cluster Operator`, `Cluster Admin`, `Cluster Developer` |
+
+{% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions given, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %}

src/current/_includes/cockroachcloud/org-roles/folder-admin.md

@@ -1,5 +1,5 @@
-    A {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} can create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. They can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders.
+    The {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role allows users to create, rename, move, delete, and manage access to folders where they are assigned the role. Users can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be assigned at the level of the organization or on a specific folder. If assigned at the level of the organization, the role allows users to view all users and service accounts in the organization. If assigned to a specific folder, the role is inherited by descendant folders.
 
-    A user with the {% if page.name == 'authorization.md' %}[Org Administrator](#org-administrator){% else %}[Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator){% endif %} role can grant themselves, another user, or a service account the Folder Admin role.
+    A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin){% endif %} role can assign themselves, another user, or a service account the Folder Admin role.
 
-    To create or manage clusters in a folder, a Folder Admin also needs the {% if page.name == 'authorization.md' %}[Cluster Administrator](#cluster-administrator) or [Cluster Creator](#cluster-creator){% else %}[Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator){% endif %} role on that folder directly or by inheritance. To delete a cluster, the Cluster Administrator role is required on the cluster directly or by inheritance.
+    To create or manage clusters in a folder, a Folder Admin also needs the {% if page.name == 'authorization.md' %}[Cluster Admin](#cluster-admin) or [Cluster Creator](#cluster-creator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator){% endif %} role on that folder directly or by inheritance. To delete a cluster, the Cluster Admin role is required on the cluster directly or by inheritance.

src/current/_includes/cockroachcloud/org-roles/folder-mover.md

@@ -1,7 +1,7 @@
-    A {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} can rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}).
+    The {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} role allows users to rename or move descendant folders, and move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}).
 
     {{site.data.alerts.callout_info}}
     A cluster cannot be renamed.
     {{site.data.alerts.end}}
 
-    A user with the {% if page.name == 'authorization.md' %}[Org Administrator](#org-administrator) or [Folder Admin](#folder-admin){% else %}[Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) or [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role can grant another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to grant themselves the Folder Mover role.
+    A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin) or [Folder Admin](#folder-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role can assign another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to assign themselves the Folder Mover role.

src/current/_includes/corestyle.scss

@@ -1063,3 +1063,44 @@ div#feature-highlights .feature-description {
 		}
 	}
 }
+
+.roles-table {
+  table {
+    width: 100%;                // Let the table stretch to the full container width
+    table-layout: auto;         // Allow browser to size columns based on content
+    border-collapse: collapse;  // Merge borders between cells
+  }
+
+  // Style the first column (permission names)
+  th:first-child,
+  td:first-child {
+    width: 45%;                 // Allocate more space to the permission column
+    min-width: 250px;           // Prevent it from shrinking too much
+    text-align: left;           // Left-align permission text for readability
+    font-weight: 500;           // Slightly bold for emphasis
+  }
+
+  // Style all table cells
+  th,
+  td {
+    min-width: 65px;            // Prevent narrow columns from collapsing
+    padding: 8px;               // Add spacing inside cells
+    word-wrap: break-word;      // Allow long words to wrap
+    white-space: pre-wrap;      // Preserve line breaks from Markdown
+    vertical-align: top;        // Align content to the top of the cell
+    line-height: 1.4;           // Improve readability with line spacing
+    text-align: center;         // Center role cells by default
+  }
+
+  // Add zebra striping for even-numbered rows
+  tr:nth-child(even) {
+    background-color: #f9f9f9;
+  }
+
+  // Style all columns except the first (role columns)
+  th:not(:first-child),
+  td:not(:first-child) {
+    max-width: 100px;           // Cap role column width to avoid overflow
+    width: 1%;                  // Hint browser to minimize these columns if possible
+  }
+}